[arch-general] Package signing: database signatures?
Hello everybody, afaik, database files in official repositories are not signed yet. Are they? This forces one to set SigLevel to 'Optional' instead of 'Required'. Now if anybody wants to provide an infected package he/she only needs to provide no signature at all and the package is happily accepted, no? So when will database files from official packages be signed? And even more interesting: Does it make sense to add a new option 'PkgRequired'? This could force valid signatures for packages and make it optional for database files. -- Best regards, Chris O< ascii ribbon campaign stop html mail - www.asciiribbon.org
On 05/03/12 19:39, Christian Hesse wrote:
And even more interesting: Does it make sense to add a new option 'PkgRequired'? This could force valid signatures for packages and make it optional for database files.
You mean like the "PackageRequired" option that is already there? Or you could use "Required DatabaseOptional". Allan
On 05.03.2012 10:39, Christian Hesse wrote:
Hello everybody,
afaik, database files in official repositories are not signed yet. Are they?
This forces one to set SigLevel to 'Optional' instead of 'Required'. Now if anybody wants to provide an infected package he/she only needs to provide no signature at all and the package is happily accepted, no?
So when will database files from official packages be signed?
And even more interesting: Does it make sense to add a new option 'PkgRequired'? This could force valid signatures for packages and make it optional for database files.
You should read pacman.conf(5) "PACKAGE AND DATABASE SIGNATURE CHECKING" and use "Optional PackageRequired" -- Florian Pritz
Florian Pritz <bluewind@xinu.at> on Mon, 05 Mar 2012 10:42:15 +0100:
On 05.03.2012 10:39, Christian Hesse wrote:
Hello everybody,
afaik, database files in official repositories are not signed yet. Are they?
This forces one to set SigLevel to 'Optional' instead of 'Required'. Now if anybody wants to provide an infected package he/she only needs to provide no signature at all and the package is happily accepted, no?
So when will database files from official packages be signed?
And even more interesting: Does it make sense to add a new option 'PkgRequired'? This could force valid signatures for packages and make it optional for database files.
You should read pacman.conf(5) "PACKAGE AND DATABASE SIGNATURE CHECKING" and use "Optional PackageRequired"
I misread the lines about combining of the options and prefixes. My fault, I am perfectly happy now. ;) Sorry for the noise! -- Best regards, Chris O< ascii ribbon campaign stop html mail - www.asciiribbon.org
On Mon, 05 Mar 2012 10:42:15 +0100 Florian Pritz wrote:
You should read pacman.conf(5) "PACKAGE AND DATABASE SIGNATURE CHECKING" and use "Optional PackageRequired"
Quick question and I'm guessing the answer will be just to wait and that's fine. There are just a few packages preventing me from using Required in pacman.conf. Like scribes and xcb-proto (the testing version is signed so I guess that will migrate). Just wondering if there is any pacman.conf magic that will tie a signature checking setting to a particaulr package name? p.s. I don't know what people use apart from just updating regularly but I've just written a script to look up packages installed with exploits (cves) and also curently in the three main repos for arch. I haven't the time at the mo to make it less crude and generic/ready/fancy for the general public, but if anyone's interested let me know. This is what I found recently. bugzilla-4.2 flyspray-0.9.9.6 phpldapadmin-1.2.2 wordpress-3.3.1 emacs-23.4 flashplugin-11.1.102.62 glib-1.2.10 mysql-5.5.21 ocaml-3.12.1 tomcat-5.5.34 vlc-2.0.0
On 11/03/12 02:12, Kevin Chadwick wrote:
On Mon, 05 Mar 2012 10:42:15 +0100 Florian Pritz wrote:
You should read pacman.conf(5) "PACKAGE AND DATABASE SIGNATURE CHECKING" and use "Optional PackageRequired"
Quick question and I'm guessing the answer will be just to wait and that's fine.
There are just a few packages preventing me from using Required in pacman.conf.
Like scribes and xcb-proto (the testing version is signed so I guess that will migrate).
Just wondering if there is any pacman.conf magic that will tie a signature checking setting to a particaulr package name?
p.s.
I don't know what people use apart from just updating regularly but I've just written a script to look up packages installed with exploits (cves) and also curently in the three main repos for arch. I haven't the time at the mo to make it less crude and generic/ready/fancy for the general public, but if anyone's interested let me know.
This is what I found recently.
bugzilla-4.2 flyspray-0.9.9.6 phpldapadmin-1.2.2 wordpress-3.3.1 emacs-23.4 flashplugin-11.1.102.62 glib-1.2.10 mysql-5.5.21 ocaml-3.12.1 tomcat-5.5.34 vlc-2.0.0
Report issues to the bugtracker. Most packagers do not read this list. But make sure they are not already patched. Allan
On 03/10/2012 08:12 AM, Kevin Chadwick wrote:
On Mon, 05 Mar 2012 10:42:15 +0100 Florian Pritz wrote:
You should read pacman.conf(5) "PACKAGE AND DATABASE SIGNATURE CHECKING" and use "Optional PackageRequired"
Quick question and I'm guessing the answer will be just to wait and that's fine.
There are just a few packages preventing me from using Required in pacman.conf.
Like scribes and xcb-proto (the testing version is signed so I guess that will migrate).
Just wondering if there is any pacman.conf magic that will tie a signature checking setting to a particaulr package name?
p.s.
I don't know what people use apart from just updating regularly but I've just written a script to look up packages installed with exploits (cves) and also curently in the three main repos for arch. I haven't the time at the mo to make it less crude and generic/ready/fancy for the general public, but if anyone's interested let me know.
I would be interested in seeing the script you wrote for this please. Thanks :)
This is what I found recently.
bugzilla-4.2 flyspray-0.9.9.6 phpldapadmin-1.2.2 wordpress-3.3.1 emacs-23.4 flashplugin-11.1.102.62 glib-1.2.10 mysql-5.5.21 ocaml-3.12.1 tomcat-5.5.34 vlc-2.0.0
participants (5)
-
Allan McRae
-
Christian Hesse
-
Don deJuan
-
Florian Pritz
-
Kevin Chadwick